loki-mode 7.41.5 → 7.43.0

package/autonomy/loki

@@ -1057,6 +1057,7 @@ cmd_start() {
                 echo "Options:"
                 echo "  --provider NAME       AI provider: claude (default), codex, cline, aider"
                 echo "  --parallel            Enable parallel mode with git worktrees"
+                echo "  --allow-haiku         Enable Haiku model for the fast tier (default: disabled)"
                 echo "  --bg, --background    Run in background mode"
                 echo "  --simple              Force simple complexity tier (3 phases)"
                 echo "  --complex             Force complex complexity tier (8 phases)"
@@ -1180,6 +1181,17 @@ cmd_start() {
                 args+=("--parallel")
                 shift
                 ;;
+            --allow-haiku)
+                # Enable Haiku for the fast tier. Mirrors the LOKI_ALLOW_HAIKU=true
+                # env var (consumed by providers/claude.sh and run.sh). Documented in
+                # loki --help and run.sh; previously only the env var worked here, so
+                # `loki start ./prd.md --allow-haiku` aborted with "Unknown option".
+                # Export reaches the runner; also forward as an arg so the run.sh
+                # parser (run.sh:15015) sees it on every route.
+                export LOKI_ALLOW_HAIKU=true
+                args+=("--allow-haiku")
+                shift
+                ;;
             --regen-prd|--regenerate-prd|--regen|--fresh-prd)
                 # v7.8.1: force a fresh generated PRD on a no-PRD run, overriding
                 # the staleness-aware reuse (decide_generated_prd_action in
@@ -13178,13 +13190,18 @@ FEOF
                 ;;
             --disable)
                 if [ -f "$failover_file" ]; then
-                    python3 -c "
-import json
-with open('$failover_file') as f: d = json.load(f)
+                    if _FAILOVER_FILE="$failover_file" python3 -c "
+import json, os
+failover_file = os.environ['_FAILOVER_FILE']
+with open(failover_file) as f: d = json.load(f)
 d['enabled'] = False
-with open('$failover_file', 'w') as f: json.dump(d, f, indent=2)
-" 2>/dev/null
-                    echo -e "${YELLOW}Failover disabled${NC}"
+with open(failover_file, 'w') as f: json.dump(d, f, indent=2)
+"; then
+                        echo -e "${YELLOW}Failover disabled${NC}"
+                    else
+                        echo -e "${RED}Error: failed to disable failover${NC}"
+                        return 1
+                    fi
                 else
                     echo "Failover not initialized."
                 fi
@@ -13212,13 +13229,19 @@ with open('$failover_file', 'w') as f: json.dump(d, f, indent=2)
                     return 1
                 fi
 
-                python3 -c "
-import json
-with open('$failover_file') as f: d = json.load(f)
-d['chain'] = '$new_chain'.split(',')
-with open('$failover_file', 'w') as f: json.dump(d, f, indent=2)
-" 2>/dev/null
-                echo "Failover chain updated: $new_chain"
+                if _FAILOVER_FILE="$failover_file" _NEW_CHAIN="$new_chain" python3 -c "
+import json, os
+failover_file = os.environ['_FAILOVER_FILE']
+new_chain = os.environ['_NEW_CHAIN']
+with open(failover_file) as f: d = json.load(f)
+d['chain'] = new_chain.split(',')
+with open(failover_file, 'w') as f: json.dump(d, f, indent=2)
+"; then
+                    echo "Failover chain updated: $new_chain"
+                else
+                    echo -e "${RED}Error: failed to update failover chain${NC}"
+                    return 1
+                fi
                 shift
                 ;;
             --test)
@@ -18601,16 +18624,16 @@ else:
                 exit 1
             fi
 
-            python3 -c "
+            _REGISTRY_FILE="$registry_file" _PROJ_PATH="$path" _PROJ_NAME="$name" _PROJ_ALIAS="$alias" python3 -c "
 import json
 import os
 import hashlib
 from datetime import datetime, timezone
 
-registry_file = '$registry_file'
-path = '$path'
-name = '$name' or os.path.basename(path)
-alias = '$alias' or None
+registry_file = os.environ['_REGISTRY_FILE']
+path = os.environ['_PROJ_PATH']
+name = os.environ['_PROJ_NAME'] or os.path.basename(path)
+alias = os.environ['_PROJ_ALIAS'] or None
 
 # Generate project ID
 project_id = hashlib.md5(path.encode()).hexdigest()[:12]
@@ -18651,7 +18674,7 @@ with open(registry_file, 'w') as f:
 print(f'  Path: {path}')
 if alias:
     print(f'  Alias: {alias}')
-" 2>/dev/null
+"
             ;;
 
         remove|rm)
@@ -18662,12 +18685,12 @@ if alias:
                 exit 1
             fi
 
-            python3 -c "
+            _REGISTRY_FILE="$registry_file" _IDENTIFIER="$identifier" python3 -c "
 import json
 import os
 
-registry_file = '$registry_file'
-identifier = '$identifier'
+registry_file = os.environ['_REGISTRY_FILE']
+identifier = os.environ['_IDENTIFIER']
 
 with open(registry_file, 'r') as f:
     data = json.load(f)
@@ -18690,7 +18713,7 @@ if found_id:
 else:
     print(f'Not found: {identifier}')
     exit(1)
-" 2>/dev/null
+"
             ;;
 
         discover)
@@ -18842,12 +18865,12 @@ print(f'Added: {added}, Missing: {missing}, Total: {len(projects)}')
         health)
             local identifier="${2:-$(pwd)}"
 
-            python3 -c "
+            _REGISTRY_FILE="$registry_file" _IDENTIFIER="$identifier" python3 -c "
 import json
 import os
 
-registry_file = '$registry_file'
-identifier = '$identifier'
+registry_file = os.environ['_REGISTRY_FILE']
+identifier = os.environ['_IDENTIFIER']
 
 # If it's a path, resolve it
 if os.path.isdir(identifier):
@@ -18886,7 +18909,7 @@ print('Health Checks:')
 for check, passed in checks.items():
     icon = '[OK]' if passed else '[FAIL]'
     print(f'  {icon} {check}')
-" 2>/dev/null
+"
             ;;
 
         --help|-h|help)
@@ -19040,17 +19063,17 @@ cmd_enterprise() {
                         esac
                     done
 
-                    python3 -c "
+                    _TOKEN_FILE="$token_file" _TOKEN_NAME="$name" _TOKEN_SCOPES="$scopes" _TOKEN_EXPIRES="$expires" python3 -c "
 import json
 import secrets
 import hashlib
 from datetime import datetime, timezone, timedelta
 import os
 
-token_file = '$token_file'
-name = '$name'
-scopes_str = '$scopes'
-expires_str = '$expires'
+token_file = os.environ['_TOKEN_FILE']
+name = os.environ['_TOKEN_NAME']
+scopes_str = os.environ['_TOKEN_SCOPES']
+expires_str = os.environ['_TOKEN_EXPIRES']
 
 # Parse scopes
 scopes = scopes_str.split(',') if scopes_str else ['*']
@@ -19105,7 +19128,7 @@ if expires_at:
 print('')
 print('Token (save this - shown only once):')
 print(f'  {raw_token}')
-" 2>/dev/null
+"
                     ;;
 
                 list|ls)
@@ -19174,12 +19197,12 @@ else:
                         exit 2
                     fi
 
-                    python3 -c "
-import json
+                    _TOKEN_FILE="$token_file" _IDENTIFIER="$identifier" python3 -c "
+import json, os
 from datetime import datetime, timezone
 
-token_file = '$token_file'
-identifier = '$identifier'
+token_file = os.environ['_TOKEN_FILE']
+identifier = os.environ['_IDENTIFIER']
 
 with open(token_file, 'r') as f:
     data = json.load(f)
@@ -19202,7 +19225,7 @@ if found_id:
 else:
     print(f'Token not found: {identifier}')
     exit(1)
-" 2>/dev/null
+"
                     ;;
 
                 delete)
@@ -19213,11 +19236,11 @@ else:
                         exit 2
                     fi
 
-                    python3 -c "
-import json
+                    _TOKEN_FILE="$token_file" _IDENTIFIER="$identifier" python3 -c "
+import json, os
 
-token_file = '$token_file'
-identifier = '$identifier'
+token_file = os.environ['_TOKEN_FILE']
+identifier = os.environ['_IDENTIFIER']
 
 with open(token_file, 'r') as f:
     data = json.load(f)
@@ -19241,7 +19264,7 @@ if found_id:
 else:
     print(f'Token not found: {identifier}')
     exit(1)
-" 2>/dev/null
+"
                     ;;
 
                 *)

package/autonomy/run.sh

@@ -7041,6 +7041,48 @@ enforce_test_coverage() {
             local output
             output=$(cd "${TARGET_DIR:-.}" && timeout "$gate_timeout" npx mocha 2>&1) || test_passed=false
             details="mocha: $(echo "$output" | tail -3 | tr '\n' ' ')"
+        else
+            # v7.41.x (test-coverage fail-open fix): a real "scripts.test" was
+            # previously missed entirely. A greenfield project whose package.json
+            # has {"scripts":{"test":"node --test"}} (or any non-placeholder test
+            # script) actually runs a working suite via `npm test`, yet the gate
+            # reported runner:none + pass:true -- so a project whose tests FAIL
+            # green-lit identically. Detect a real test script (excluding the npm
+            # placeholder "no test specified") with a JSON parser, not grep (grep
+            # would false-positive on devDeps / unrelated keys), then run the
+            # configured command. This MUST sit before the monorepo/python/go/rust
+            # checks, all of which gate on test_runner=="none".
+            local _pkg_test_script
+            _pkg_test_script=$(_LOKI_PKG="${TARGET_DIR:-.}/package.json" python3 -c "
+import json, os, sys
+try:
+    with open(os.environ['_LOKI_PKG']) as f:
+        d = json.load(f)
+except Exception:
+    sys.exit(0)
+t = (d.get('scripts') or {}).get('test') or ''
+# npm's default placeholder; treat as 'no test'.
+if 'no test specified' in t.lower():
+    sys.exit(0)
+sys.stdout.write(t.strip())
+" 2>/dev/null || echo "")
+            if [ -n "$_pkg_test_script" ]; then
+                # LOKI_TEST_COMMAND lets an operator override the invocation; the
+                # default is the project's own `npm test`.
+                local _test_cmd="${LOKI_TEST_COMMAND:-npm test}"
+                # Label the runner by what the script invokes so evidence is
+                # honest (node --test, vitest, jest, etc. all surface here).
+                case "$_pkg_test_script" in
+                    *"node --test"*|*"node:test"*) test_runner="node-test" ;;
+                    *vitest*) test_runner="vitest" ;;
+                    *jest*)   test_runner="jest" ;;
+                    *mocha*)  test_runner="mocha" ;;
+                    *)        test_runner="npm-test" ;;
+                esac
+                local output
+                output=$(cd "${TARGET_DIR:-.}" && timeout "$gate_timeout" sh -c "$_test_cmd" 2>&1) || test_passed=false
+                details="$test_runner ($_test_cmd): $(echo "$output" | tail -5 | tr '\n' ' ')"
+            fi
         fi
     fi
 
@@ -7165,10 +7207,23 @@ enforce_test_coverage() {
     fi
 
     if [ "$test_runner" = "none" ]; then
-        log_info "Test coverage: no test runner detected, skipping"
+        log_info "Test coverage: no test runner detected, recording inconclusive (not pass)"
+        # v7.41.x fail-open fix: previously this wrote pass:true, so a project
+        # whose tests truly do not run was indistinguishable from one whose tests
+        # passed. Record pass:"inconclusive" instead. The completion-council
+        # evidence gate already treats runner=="none" as pass-through regardless
+        # of the pass value (completion-council.sh: runner=='none' short-circuits
+        # BEFORE the `passed is False` block), so genuinely-no-tests stays
+        # non-blocking (no infinite hang), while the JSON record is now honest:
+        # "no tests" never reads as "tests passed". A DETECTED runner that fails
+        # still writes pass:false below and BLOCKS.
+        #
+        # unit-tests.pass is only read for the status-line display (run.sh ~2183,
+        # PASS vs PENDING); keeping the touch preserves the historical
+        # non-blocking behavior for legitimate no-test projects.
         touch "$quality_dir/unit-tests.pass"
         cat > "$quality_dir/test-results.json" << TREOF
-{"timestamp":"$(date -u +%Y-%m-%dT%H:%M:%SZ)","runner":"none","pass":true,"summary":"No test runner detected"}
+{"timestamp":"$(date -u +%Y-%m-%dT%H:%M:%SZ)","runner":"none","pass":"inconclusive","summary":"No test runner detected"}
 TREOF
         # Finding #598: stamp the per-iteration freshness marker so a later
         # completion-route capture (ensure_completion_test_evidence) reuses this
@@ -14161,6 +14216,22 @@ if __name__ == "__main__":
                 log_warn "  Review details under .loki/quality/reviews/ ; gate_failures=${gate_failures}"
                 _gate_block_for_completion=""
                 # Fall through; the gate-failed loop continues normally
+            # HIGH (trust-gate): the checklist hard gate must also guard the
+            # DEFAULT completion-promise / loki_complete_task route, not only the
+            # interval-gated council path (council_evaluate) and the dashboard
+            # force-review path -- both of which already call this gate. Without
+            # it, an agent that leaves a `priority: critical` checklist item
+            # `failing` and claims done on a non-council-interval iteration would
+            # ship, bypassing the checklist gate entirely. council_reverify_checklist
+            # ran above (when a claim is present) so statuses are fresh here.
+            # Mirrors the evidence/held-out gate arms below. No-op safe:
+            # council_checklist_gate returns 0 (pass) when there is no checklist
+            # results file or when no critical items are failing, so this branch
+            # never fires on those projects. Gate output is written by the gate.
+            elif [ "$_completion_claimed" = 1 ] && type council_checklist_gate &>/dev/null && ! council_checklist_gate; then
+                log_warn "Completion claim rejected: critical checklist item(s) failing (hard gate)."
+                log_warn "  Details under .loki/council/gate-block.json"
+                # Fall through; keep iterating until critical checklist items pass.
             # v7.19.1: the verified-completion evidence gate must also guard the
             # DEFAULT completion route (a completion claim via loki_complete_task
             # / the completion-promise text), not only the interval-gated council

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.41.5"
+__version__ = "7.43.0"
 
 # Expose the control app for easy import
 try:

package/dashboard/server.py

@@ -7034,6 +7034,96 @@ def _pid_is_alive(pid):
         return None
 
 
+# Margin (seconds) added to the recorded reference time before a live pid is
+# judged to be a recycled (different) process. Must comfortably exceed clock
+# skew plus the launch-to-first-state-write gap so a genuine app is never
+# downgraded. A PID recycled after a crash typically belongs to a process that
+# started minutes or hours later, so a generous margin still catches recycles
+# while strongly biasing against the far worse false-positive of killing a live
+# app's status. See _reconcile_app_runner_liveness.
+_APP_RUNNER_PID_RECYCLE_MARGIN_SECONDS = 120
+
+
+def _pid_start_time(pid):
+    """Best-effort wall-clock start time of pid, as epoch seconds, or None.
+
+    Reads `ps -o lstart= -p <pid>`, which is available on both macOS and Linux
+    and prints the process start time in local time (e.g. "Sun Jun 14 18:39:15
+    2026"). The string is locale-dependent (%a/%b), so any parse failure, empty
+    output, or missing process returns None and the caller degrades gracefully
+    to its prior behavior. The returned epoch is timezone-correct because the
+    naive local timestamp is interpreted in the system's local zone before
+    conversion (ps reports local time; never mix it with a UTC value directly).
+    """
+    try:
+        pid = int(pid)
+    except (TypeError, ValueError):
+        return None
+    if pid <= 0:
+        return None
+    try:
+        out = subprocess.run(["ps", "-o", "lstart=", "-p", str(pid)],
+                             capture_output=True, text=True, timeout=5)
+    except (OSError, subprocess.SubprocessError):
+        return None
+    raw = (out.stdout or "").strip()
+    if not raw:
+        return None
+    try:
+        # lstart is local time without a zone; parse naive then attach the
+        # local zone so .timestamp() yields a correct epoch regardless of TZ.
+        naive = datetime.strptime(raw, "%a %b %d %H:%M:%S %Y")
+        local = naive.replace(tzinfo=datetime.now().astimezone().tzinfo)
+        return local.timestamp()
+    except (ValueError, OverflowError, OSError):
+        return None
+
+
+def _state_reference_epoch(state):
+    """Epoch seconds for state.json's recorded reference time, or None.
+
+    Uses `started_at` (rewritten by the app-runner on every state write; it is
+    the last-state-write time, not pure launch time). For a genuine process the
+    real start time is always <= this value, so it is a safe upper bound to
+    compare a live pid's start time against. The value is UTC (Z-suffixed).
+    """
+    if not isinstance(state, dict):
+        return None
+    started_at = state.get("started_at")
+    if not started_at:
+        return None
+    try:
+        ts = datetime.fromisoformat(str(started_at).replace("Z", "+00:00"))
+    except (ValueError, TypeError):
+        return None
+    if ts.tzinfo is None:
+        ts = ts.replace(tzinfo=timezone.utc)
+    return ts.timestamp()
+
+
+def _pid_is_recycled(state):
+    """True if the recorded main_pid is alive but is a DIFFERENT process now.
+
+    After the recorded app dies, the OS can recycle its numeric pid for an
+    unrelated process; os.kill(pid, 0) then reports the stale pid "alive"
+    forever and a dead run is never reconciled. We detect this by comparing the
+    live pid's real start time against the recorded reference time: a genuine
+    process started at or before the reference, so a live pid whose start time
+    is comfortably AFTER the reference cannot be the original.
+
+    Returns True only with positive evidence of recycling. Any missing data
+    (no recorded reference, start time unavailable) returns False so the caller
+    keeps its prior behavior -- best-effort, biased against false positives.
+    """
+    reference = _state_reference_epoch(state)
+    if reference is None:
+        return False
+    pid_start = _pid_start_time(state.get("main_pid"))
+    if pid_start is None:
+        return False
+    return pid_start > reference + _APP_RUNNER_PID_RECYCLE_MARGIN_SECONDS
+
+
 def _health_checked_age_seconds(state):
     """Seconds since last_health.checked_at, or None if unparseable/absent."""
     health = state.get("last_health")
@@ -7059,6 +7149,9 @@ def _reconcile_app_runner_liveness(state):
     Here we cross-check the recorded main_pid against the real OS before
     returning, and only ever downgrade -- never upgrade -- the status:
       - recorded running/starting + pid genuinely gone   -> "stopped"
+      - recorded running/starting + pid "alive" but its real start time is
+        after the recorded reference (the OS recycled a dead run's pid for an
+        unrelated process)                                -> "stopped"
       - recorded running/starting + pid not verifiable    +
         last_health.checked_at older than the threshold   -> "stale"
     Any failure falls back to the raw recorded status (fail open to the writer's
@@ -7076,6 +7169,15 @@ def _reconcile_app_runner_liveness(state):
             state["status"] = "stopped"
             state["liveness"] = "pid_gone"
             return state
+        if alive is True:
+            # The numeric pid exists, but os.kill(pid, 0) cannot tell whether it
+            # is still the SAME process. After a dead run the OS can recycle the
+            # pid; detect that via the process start time so a recycled pid is
+            # treated as gone rather than reported "running" forever.
+            if _pid_is_recycled(state):
+                state["status"] = "stopped"
+                state["liveness"] = "pid_recycled"
+            return state
         if alive is None:
             # Cannot verify via pid (e.g. compose subshell pid). Fall back to
             # the health-beat freshness with a generous threshold.

package/dashboard/static/index.html

@@ -3910,7 +3910,7 @@ var LokiDashboard=(()=>{var Ee=Object.defineProperty;var rt=Object.getOwnPropert
       `:e.steps!==void 0?`
         <div class="detail-panel">
           <div class="detail-header">
-            <h3>Skill: ${e.name}</h3>
+            <h3>Skill: ${this._escapeHtml(e.name)}</h3>
             <button class="close-btn" id="close-detail">&times;</button>
           </div>
           <div class="detail-body">
@@ -5518,7 +5518,7 @@ var LokiDashboard=(()=>{var Ee=Object.defineProperty;var rt=Object.getOwnPropert
           ${this._renderTabContent()}
         </div>
 
-        ${this._error?`<div class="error-banner">${this._error}</div>`:""}
+        ${this._error?`<div class="error-banner">${this._escapeHtml(this._error)}</div>`:""}
       </div>
     `,this._attachEventListeners())}_attachEventListeners(){let e=this.shadowRoot;if(!e)return;let t=e.getElementById("force-review-btn");t&&t.addEventListener("click",()=>this._forceReview()),e.querySelectorAll(".tab[data-tab]").forEach(i=>{i.addEventListener("click",()=>this._setTab(i.dataset.tab))})}_renderTabContent(){switch(this._activeTab){case"overview":return this._renderOverview();case"decisions":return this._renderDecisions();case"convergence":return this._renderConvergence();case"agents":return this._renderAgents();default:return""}}_renderOverview(){let e=this._councilState||{},t=e.consecutive_no_change||0,i=e.done_signals||0,a=e.total_votes||0,s=e.approve_votes||0,r=this._verdicts.length>0?this._verdicts[this._verdicts.length-1]:null,o=this._agents.filter(n=>n.alive).length;return`
       <div class="overview-grid">
@@ -5631,27 +5631,27 @@ var LokiDashboard=(()=>{var Ee=Object.defineProperty;var rt=Object.getOwnPropert
           <div class="agent-card ${this._selectedAgent?.id===t.id?"agent-selected":""}"
                data-agent-index="${i}">
             <div class="agent-header">
-              <span class="agent-name">${t.name||t.id||"Unknown"}</span>
+              <span class="agent-name">${this._escapeHtml(t.name||t.id||"Unknown")}</span>
               <span class="agent-status ${t.alive?"status-alive":"status-dead"}">
                 ${t.alive?"Running":"Stopped"}
               </span>
             </div>
             <div class="agent-meta">
-              ${t.type?`<span class="agent-type">${t.type}</span>`:""}
+              ${t.type?`<span class="agent-type">${this._escapeHtml(t.type)}</span>`:""}
               ${t.pid?`<span class="agent-pid">PID: ${t.pid}</span>`:""}
-              ${t.task?`<span class="agent-task">Task: ${t.task}</span>`:""}
+              ${t.task?`<span class="agent-task">Task: ${this._escapeHtml(t.task)}</span>`:""}
             </div>
             ${this._selectedAgent?.id===t.id?`
               <div class="agent-actions">
                 ${t.alive?`
-                  <button class="btn btn-sm btn-warn" data-action="pause" data-agent-id="${t.id||t.name}">
+                  <button class="btn btn-sm btn-warn" data-action="pause" data-agent-id="${this._escapeHtml(t.id||t.name)}">
                     Pause
                   </button>
-                  <button class="btn btn-sm btn-danger" data-action="kill" data-agent-id="${t.id||t.name}">
+                  <button class="btn btn-sm btn-danger" data-action="kill" data-agent-id="${this._escapeHtml(t.id||t.name)}">
                     Kill
                   </button>
                 `:`
-                  <button class="btn btn-sm btn-primary" data-action="resume" data-agent-id="${t.id||t.name}">
+                  <button class="btn btn-sm btn-primary" data-action="resume" data-agent-id="${this._escapeHtml(t.id||t.name)}">
                     Resume
                   </button>
                 `}
@@ -5660,7 +5660,7 @@ var LokiDashboard=(()=>{var Ee=Object.defineProperty;var rt=Object.getOwnPropert
           </div>
         `).join("")}
       </div>
-    `;return this._pendingRaf=requestAnimationFrame(()=>{this._pendingRaf=null;let t=this.shadowRoot;t&&t.querySelectorAll(".agent-card[data-agent-index]").forEach(i=>{let a=parseInt(i.dataset.agentIndex,10),s=this._agents[a];s&&(i.addEventListener("click",()=>this._selectAgent(s)),i.querySelectorAll("[data-action]").forEach(r=>{r.addEventListener("click",o=>{o.stopPropagation();let n=r.dataset.action,l=r.dataset.agentId;n==="pause"?this._pauseAgent(l):n==="kill"?this._killAgent(l):n==="resume"&&this._resumeAgent(l)})}))})}),e}_formatTime(e){if(!e)return"";try{return new Date(e).toLocaleTimeString([],{hour:"2-digit",minute:"2-digit"})}catch{return e}}_getStyles(){return`
+    `;return this._pendingRaf=requestAnimationFrame(()=>{this._pendingRaf=null;let t=this.shadowRoot;t&&t.querySelectorAll(".agent-card[data-agent-index]").forEach(i=>{let a=parseInt(i.dataset.agentIndex,10),s=this._agents[a];s&&(i.addEventListener("click",()=>this._selectAgent(s)),i.querySelectorAll("[data-action]").forEach(r=>{r.addEventListener("click",o=>{o.stopPropagation();let n=r.dataset.action,l=r.dataset.agentId;n==="pause"?this._pauseAgent(l):n==="kill"?this._killAgent(l):n==="resume"&&this._resumeAgent(l)})}))})}),e}_formatTime(e){if(!e)return"";try{return new Date(e).toLocaleTimeString([],{hour:"2-digit",minute:"2-digit"})}catch{return e}}_escapeHtml(e){return e?String(e).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;"):""}_getStyles(){return`
       :host {
         display: block;
         font-family: 'Inter', -apple-system, BlinkMacSystemFont, sans-serif;

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.41.5
+**Version:** v7.43.0
 
 ---
 
@@ -63,6 +63,7 @@ review verdict, evidence-related parses) so determinism is never affected.
 - [VS Code Extension (Deprecated)](#vs-code-extension-deprecated)
 - [Sandbox Mode](#sandbox-mode)
 - [Multi-Provider Support](#multi-provider-support)
+- [Environment Variables](#environment-variables)
 - [Claude Code (CLI)](#claude-code-cli)
 - [Claude.ai (Web)](#claudeai-web)
 - [Anthropic API Console](#anthropic-api-console)
@@ -367,6 +368,74 @@ When using `codex`, `cline`, or `aider` providers, Loki Mode operates in **degra
 
 ---
 
+## Environment Variables
+
+Loki Mode is designed to run with zero configuration: the trust-layer and
+quality features below are default-on and decide intelligently by inspecting
+the work. The environment variables here are opt-out escape hatches for power
+users, not required setup. Set the documented value to disable a feature; leave
+the variable unset to keep the intelligent default.
+
+### Trust-gate and completion knobs (default-on)
+
+These are read by the orchestrator (`autonomy/run.sh`) on every run.
+
+- `LOKI_REVIEW_INCONCLUSIVE_BLOCK` (default `1`) -- when a code-review cycle
+  returns zero usable verdicts (every reviewer produced empty output), the
+  review is treated as INCONCLUSIVE and the gate BLOCKS, because an all-empty
+  review proves nothing. A bounded one-shot retry runs first
+  (`LOKI_REVIEW_RETRY`, default `1`). Set `LOKI_REVIEW_INCONCLUSIVE_BLOCK=0` to
+  record the inconclusive result without blocking.
+
+- `LOKI_COMPLETION_TEST_CAPTURE` (default `1`) -- before the verified-completion
+  evidence gate runs, Loki captures a fresh `test-results.json` so the gate
+  scores on real PASS/FAIL test results instead of a stale or missing file. It
+  reuses this iteration's results if already fresh, and never crashes the
+  completion path on red tests (the gate is the decider). Set
+  `LOKI_COMPLETION_TEST_CAPTURE=0` to opt out.
+
+- `LOKI_AUTO_DOCS` (default `true`) -- auto-generates the `.loki/docs/` suite
+  before the documentation gate evaluates, so the gate scores on real generated
+  docs instead of nagging you to run `loki docs generate` by hand. Bounded:
+  runs at most once per run when docs are missing, and again only when existing
+  docs are substantially stale; best-effort, never fails the iteration loop.
+  Set `LOKI_AUTO_DOCS=false` to opt out.
+
+### Output-token compressor (caveman, Claude-only)
+
+Loki integrates [caveman](https://github.com/JuliusBrussee/caveman), an optional
+Claude Code skill that compresses the model's OUTPUT tokens only (keeping all
+technical substance). It activates on free-form generation (the main RARV dev
+loop) and is HARD-SUPPRESSED on every trust-gate subcall (council votes, code
+review verdicts, evidence-related parses) so determinism is never affected. It
+is Claude-provider-only; runs are byte-identical on Codex / Cline / Aider. These
+variables are read in `autonomy/lib/claude-flags.sh`.
+
+- `LOKI_CAVEMAN` (default on) -- set `LOKI_CAVEMAN=0` to disable the compressor.
+  Suppression on trust-gate subcalls is unconditional and applies even when
+  caveman is globally installed but `LOKI_CAVEMAN=0`, so trust gates are never
+  exposed to compression.
+
+- `LOKI_CAVEMAN_LEVEL` (default `full`) -- the compression level for free-form
+  activation. When you do NOT set this, the level is inferred per-invocation
+  from the run's RARV tier (planning -> `lite`, development/fast -> `full`); the
+  auto path never selects `ultra`. Setting `LOKI_CAVEMAN_LEVEL` explicitly
+  overrides the inference entirely (the opt-out escape hatch).
+
+- `LOKI_CAVEMAN_VERSION` (default `1.9.0`) -- the pinned caveman version used by
+  the one-time bootstrap. Bump only to upgrade the compressor.
+
+### RARV-C closure knobs (default-on)
+
+The Phase 1 / RARV-C closure loop (findings injection, override council,
+learnings writer, handoff doc) is default-on and documented in detail at the
+top of this guide under [Phase 1 RARV-C closure](#phase-1-rarv-c-closure-shipped-v750-default-on-as-of-v753):
+`LOKI_INJECT_FINDINGS`, `LOKI_OVERRIDE_COUNCIL`, `LOKI_AUTO_LEARNINGS`, and
+`LOKI_HANDOFF_MD` (each opt out with `=0`). For the full schema and
+reachability notes, see `skills/quality-gates.md`.
+
+---
+
 ## Claude Code (CLI)
 
 Loki Mode can be installed as a skill in three ways:

package/events/bus.py

@@ -328,17 +328,20 @@ class EventBus:
             Events as they arrive
         """
         start_time = time.time()
-        last_check = datetime.now(timezone.utc).isoformat()
 
         while True:
             if timeout and (time.time() - start_time) > timeout:
                 break
 
-            # Set last_check BEFORE fetching to avoid missing events that
-            # arrive between fetch and timestamp update
-            next_check = datetime.now(timezone.utc).isoformat()
-            events = self.get_pending_events(types=types, since=last_check)
-            last_check = next_check
+            # Dedup is driven solely by _processed_ids (maintained via
+            # mark_processed), NOT by a wall-clock `since` window. A local
+            # `since=now` filter silently drops any event whose timestamp is
+            # at or behind the subscriber's clock: cross-process clock skew
+            # (an emitter a few ms/s behind) or second-granularity timestamps
+            # (emit.sh's .000Z fallback) would lose events forever. This
+            # mirrors start_background_processing() and bus.ts, which both
+            # call get_pending_events with no `since` argument.
+            events = self.get_pending_events(types=types)
 
             for event in events:
                 yield event